Similar presentations:
Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows Server 2003
1. FrontPage: 2003
Exploiting, Abusing, and Securing the FrontPageServer Extensions on Windows Server 2003
Mark Burnett
2.
FrontPage: 2003Exploiting, Abusing, and Securing the FrontPage
Server Extensions on Windows Server 2003
Mark Burnett
3. Background
History of the FPSEDifferent names, same old holes
What products include FPSE?
4. Risks
Are the FPSE as insecure aseveryone says?
What are the real risks?
–
–
–
–
–
–
Increased attack surface
Entry point
Information gathering
Running on system partition
Insufficient logging
Storing files within the web root
5. Risks
What are some greater risks?– Confusing security model
– Running in-process with
inetinfo.exe
– Relaxed NTFS permissions
– Cannot be secured without NTFS
6. The FPSE Files
The same files?– _vti_bin/shtml.dll
– _vti_bin/_vti_aut/author.dll
– _vti_bin/_vti_adm/admin.dll
FPSE 2002
– _vti_bin/owssvr.dll
– _vti_bin/_vti_adm/fpadmdll.dll
7. FPSE Directories
_vti_bin – FPSE Binaries_private _vti_cnf
_vti_pvt
_vti_script
_vti_txt
8. Decoding vti_rpc
Sending vti_rpc methods– POST to FPSE binaries
– GET to owssvr.dll
– Multiple posts using CAML
Interpreting output
9. Sample Output
• <html><head><title>vermeer RPCpacket</title></head>
• <body>
• <p>method=list services:4.0.2.0
• <p>services_list=
• <ul>
• <li>SR|msiis
• <li>vti_usagevisitsbyweek
• <li>UX|337 380 423 501 297
• <li>vti_usagebymonth
• <li>UX|88 4195 2667 3497 90
• <li>vti_welcomenames
• <li>VX|Default.htm Default.asp
Default.aspx
• <li>vti_adminurl
• <li>SR|/_vti_bin/_vti_adm/fpadmdll.dll
10. Cool vti_rpc Tricks
Finding unprotected web sitesListing webs
Other info gathering
method=list+services:4.0.2.0000&service_name=
11. vti_rpc Exploits
New exploits to be announced12. Other Exploits
New exploits to be announced13. Updating the FPSE
Finding product updatesConfusing and inconsistent
Manual fixes
14. Manual Fixes
Htimage.exe and Imagemap.exe– Microsoft’s solution
– Another Microsoft solution
– The real solution?
15. The Security Model
Browse, Author, and AdministerNTFS Permissions on web root
Common Mistakes
16. Installing & Uninstalling
Installing &Uninstalling
Why are the directories there on
a clean install?
Why won’t they uninstall?
How do you remove them?
17. Moving the FPSE
1. Move the binaries2. Update the registry
3. Update the metabase
18. Securing the FPSE
The FPSE can be used safely if you:Secure user accounts
Set proper NTFS permissions
Set proper IIS permissions
Configure the registry defaults
Keep patched
Use SSL for authoring
Manage log files
Set IP Restrictions
19. Advanced Techniques
Mirror sitesURLScan Rules
Custom ISAPI filter
FPSE neutered
NTFS restrictions
Remove directories
Disable authoring
20. FPSE Intrusions
Spotting attacksLog entries
Other trails
FPSE vs. WebDAV
21. Snort Rules
Updated Snort rulesLogging FPSE authoring with
Snort
22. FrontPage Tools
Xfp.pl – FrontPage securityscanner
Fpseinfo.pl – FrontPage info
gathering
SecureFPSE.cmd – Harden
FrontPage Server Extensions
fpBlock – ISAPI filter for
FrontPage IP restrictions
23. Xfp.pl
24. Fpseinfo.pl
Returns FPSE information- Web server platform
- Anonymous user account
- Site statistics
- Hidden directories
- More
25. SecureFPSE.cmd
Removes htimage.exe andimagemap.exe
Moves binaries
Registers components in new
lcoation
Updates metabase
Updates registry